Describe the bug

If the CORS filter is enabled to prevent CORS attacks, but no other origin is set because we expect all requests from the same origin, at least POST requests are blocked in Chrome.

GET requests do not send the origin header, so the CORS check is skipped, but POST requests include the origin header even, if it's from the same origin.

Expected behavior

If CORS is enabled, same origin requests are always successful, even if no other origins are set.

Actual behavior

If the property quarkus.http.cors=true is set, but quarkus.http.cors.origins is not set, the same origin policy introduced in #29626 should come into place and always allow requests from the same origin.

How to Reproduce?

Steps to reproduce:

1. create a web app with swagger UI
2. add a POST method
3. set quarkus.http.cors=true
4. invoke it in Chrome via swagger

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.16.0.FINAL

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

In CORSFilter line 191:

the AND includes also the sameOrigin.

The closing bracket of the AND should probably be after line 192?